mmcodec.com Destroyed My Computer!

joq18 · 10-11-2006, 04:17 AM

ok, i thought this was a legitamate site and i thought i was downloading a codec, and man was i wrong. as soon as i installed it all of these icons appear in my taskbar that tell me i have a virus and i need to buy the full version of some dumb antivirus software. i went to mmcodec.com and checked their user agreement and sure enough they have their little clause about how they are gonna f-up my computer because i dont read the small print...

see:
Licensor may offer additional components through our version checking/update system. These components include:
(a) "Internet Explorer Security Plugin 2006": Internet Explorer toolbar that protects your computer while you browse by setting high level of security for suspicious hosts.
(b) "Public Messenger ver 2.03": Popup advertising module that opens Internet Explorer ad windows when you are connected to internet.
(c) "Internet Security Add-On": your Internet Explorer homepage will be changed.
(d) Security software: antivirus/antispyware application.

- i scanned the computer using avg and found a virus, deleted it, and then found it again the next time i scanned.

-i did the same with adware and spy bot: found spyware, deleted, it came back.

-then i followed mmcodec.coms uninstall instructions which of course failed. the mmcodec 9.0 somehow just reappears and the other 3 programs i was able to identify (a-c in the user agreement) opened some 'bla bla failure' dialog box. and all of the uninstalls require me to reboot FIRST! so even though i know it failed i have to wait until it reboots.

SO ANYWAYS...
heres my HijackThis Log File (my last resort b4 reinstalling windows)
-----------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:39:12 AM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MMediaCodec\pmsngr.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\utorrent.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\MMediaCodec\pmmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Jesse\Desktop\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\MMediaCodec\isaddon.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent.exe"
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

---------------------------------------------------------------
please help if you can, i really would appreciate it. i am not much of a computer wiz but i can follow directions.

btw, is there anyplace i can go to report that website. they are obviously running a scam and intentionally distributing a virus.

joq18 · 10-11-2006, 05:03 AM

oh btw, one of the pop-ups ive been getting says i have 'Spyware.Cyberlog-x' and one of the pop-up 'baloons' says 'Security Alert: NetWorm-i.Virus@fp'. but these could just be fony,-

-however avg says i have Trojan horse Generic2.EPI(Iaf3a.tmp), after 2 scans with adware i found a prog called virusburster.exe and another called trojandownloader.zlob, and spybot turns up results for zlob.homepagemonitor and pesttrap.

sorry to repost like that but i thought this info might help.

Sempurna · 10-12-2006, 04:51 AM

Hi joq18,

Welcome to Tech Support Forums!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

If you're in the USA, you could complain to the FTC and as well as the department in charge of media broadcasting (I can't remember the name... sorry). But, they can only take action against websites based in America.

OK, now let's clean up your system, shall we?

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

1. Please download SmitfraudFix (by S!Ri).

Extract the content (a folder named SmitfraudFix) to your desktop.
Please do NOT run a scan yet!

NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

2. Please download CCleaner and save it to your desktop.

Run the CCleaner installer.
During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
Please do NOT run a scan yet!

3. Please download AVG Anti-Spyware and save that file to your desktop.

This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever.

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program.
Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files.
On the main screen select the "Shield" icon, then under the "Resident shield is" section change the "Active" status of AVG Anti-Spyware’s resident shield to "Inactive".
On the main screen select the "Update" icon, then under the "Manual update" section select the "Start update" button.
The update will start and a progress bar will show the updates being installed.
Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the "Settings" screen click on "Recommended actions" and then select "Quarantine".
Under "Reports:"
- Select "Automatically generate report after every scan".
- Un-Select "Only if threats were found".
Close AVG Anti-Spyware. Please do NOT run a scan yet!

4. Please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".

5. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process (if a reboot is required, please boot BACK into Safe Mode). A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

WARNING : Running Option #2 on a non-infected computer will remove your desktop background.

6. AFTER SmitfraudFix finishes (and after a reboot if required), please run CCleaner. (If a reboot is required, please boot BACK into Safe Mode)

Click the Windows tab.
Select the following:
- Check everything under the Internet Explorer section.
- Check everything under the Windows Explorer section.
- Check everything under the System section.
- Check ONLY Old Prefetch data under the Advanced section.
Then, click the Applications tab:
- UNCHECK everything there.
Next, click the Options button, then click the Advanced button:
- UNCHECK : "Only delete files in Windows Temp folders older than 48 hours", click OK.
Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

7. Then please open AVG Anti-Spyware. (If a reboot is required, please boot BACK into Safe Mode)

IMPORTANT : Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process.

Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
- If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side.
- Next select the "Save Report" button at the bottom.
- Then select the "Save report as" button in the lower left hand of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!).
Close AVG Anti-Spyware.

Then please REBOOT normally into Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the AVG Anti-Spyware report and a new HijackThis log.

joq18 · 10-12-2006, 12:08 PM

I have a problem. My system will not boot in safe mode. When my computer starts it offers these options:

<esc>diagnostics <f12>somthing? <f2>bios?
or somthing like that, but no option for safe mode.

so I tried everything from pressing f8 before, after, tapping it, holding it, but each time windows boots normally. I know in the past it has been able to boot in safe mode. i cant figure out why it doesnt work now. is the an alternative way to do this or an explination for why my system cant boot to safe mode?

I will continue trying in the mean time.

joq18 · 10-12-2006, 02:44 PM

Ok, I couldn't figure out why f8 won't start safe mode at startup, but i figured out how to do it through msconfig. So here are the results after following your instructions:

========================================

SmitFraudFix v2.109

Scan done at 15:52:24.64, Thu 10/12/2006
Run from C:\Documents and Settings\Jesse\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

============================================

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:45:21 PM 10/12/2006

+ Scan result:

HKU\S-1-5-21-861567501-920026266-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : Cleaned with backup (quarantined).

::Report end

============================================

Logfile of HijackThis v1.99.1
Scan saved at 5:24:30 PM, on 10/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

==============================================

Well, so far so good, all the problems seem to be gone. Let me know if theres any problems with my logs. In the mean time ill consider it a success. THANK YOU SEMPURNA AND THANKS TECHSUPPORTFORUM!!!

joq18 · 10-12-2006, 07:29 PM

Arrrrg, it seems there is still a problem. all signs of the spyware/virus are gone (no adds, icons gone from system tray, etc...) however, my computer runs like glue. id say even slower than when i had the virus... this page took about 5 minutes to load, and windows explorer windows take several minutes to open. i'm doing more scans using avg, spybot, and adware. hope this problem stops...

Sempurna · 10-12-2006, 11:03 PM

Hi joq18,

You’re most welcome, jog18.

Yep, your system will be slower after cleaning out Smitfraud. We’ll try to make it go faster, and also try to solve your Safe Mode problem. Good work on figuring out that Safe Mode can be done through msconfig.

OK, let’s do this next.

Turn off the active guard of AVG Anti-Spyware. Also, turn it off from starting with windows. You can right-click the AVG Anti-Spyware icon in your system tray (lower right hand corner next to the clock) and disable them.

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner.

Click on Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  Extended
- Scan Options:
  Scan Archives
  Scan Mail Bases
Click OK.
Now under select a target to scan:
- Select My Computer.
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report As button.
- In the File name: field, type kavscan.
- In the Save as type: field, select Text file (*.txt).
Save the file to your desktop.
Copy and paste that information in your next post.

NEXT:

Please reboot your computer normally into Windows, and then please post the log from the Kaspersky scan and a new HijackThis log.

joq18 · 10-13-2006, 07:01 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 13, 2006 9:44:14 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 13/10/2006
Kaspersky Anti-Virus database records: 231425
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 27931
Number of viruses found: 2
Number of infected objects: 9 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:32:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\l_100018.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jesse\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jesse\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jesse\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jesse\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Jesse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jesse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jesse\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jesse\Local Settings\History\History.IE5\MSHist012006101320061014\index.dat Object is locked skipped
C:\Documents and Settings\Jesse\Local Settings\Temp\Perflib_Perfdata_874.dat Object is locked skipped
C:\Documents and Settings\Jesse\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jesse\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jesse\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Jesse\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005472.exe Object is locked skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005679.dll Object is locked skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005681.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005691.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005757.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005772.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005788.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005789.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped
C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP25\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{18BAB2A6-E0C5-4151-BA83-5878C5493BC7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

AND MY HJT:

Logfile of HijackThis v1.99.1
Scan saved at 9:54:26 AM, on 10/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\hijackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

I also notice that my system runs slow when I open alot of windows (like more than 5). When this has been happening I get a 'balloon' that says 'Windows - Virtual Memory Minimum is Low' and that it's trying to increase it. Is this a symptom of the virus or has one of my memory settings been changed in the process of fixing it?

Well, let me know what you find and thanks again...

Sempurna · 10-13-2006, 10:46 PM

Hi joq18,

How much RAM do you have? Let’s assume you have 512MB, as the recommended size of the virtual memory paging file will depend on this figure. Adjust accordingly if you have a different RAM amount.

To change the size of the virtual memory paging file you must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.

Click Start, click Control Panel, click Performance and Maintenance, and then click System.

On the Advanced tab, under Performance, click Settings.

On the Advanced tab, under Virtual memory, click [/b]Change[/b].

Under Drive [Volume Label], click the drive that contains the paging file you want to change.

Under Paging file size for selected drive, click Custom size, and type a new paging file size in megabytes in the Initial size (MB) or Maximum size (MB) box, and then click [/b]Set[/b].

If you decrease the size of either the initial or maximum page file settings, you must restart your computer to see the effects of those changes. Increases typically do not require a restart.

To have Windows choose the best paging file size, click System managed size.

For best performance, do not set the initial size to less than the minimum recommended size under Total paging file size for all drives. The recommended size is equivalent to 1.5 times the amount of RAM on your system. Usually, you should leave the paging file at its recommended size, although you might increase its size if you routinely use programs that require a lot of memory.

Otherwise, your system appears to be clean. What Kaspersky found was in your system restore files. These are not active, and don’t pose a danger to your system. As time goes by, your computer will create new system restore points, and automatically delete these infected ones.

Please let me know how things go with the virtual memory settings, and whether your system continues to be slow. We’ll see if we can speed things up a bit if it is still slow.

10-11-2006, 04:17 AM	#1 (permalink)
joq18 Registered User Join Date: Oct 2006 Posts: 6 OS: XP Home SP2	mmcodec.com Destroyed My Computer! ok, i thought this was a legitamate site and i thought i was downloading a codec, and man was i wrong. as soon as i installed it all of these icons appear in my taskbar that tell me i have a virus and i need to buy the full version of some dumb antivirus software. i went to mmcodec.com and checked their user agreement and sure enough they have their little clause about how they are gonna f-up my computer because i dont read the small print... see: Licensor may offer additional components through our version checking/update system. These components include: (a) "Internet Explorer Security Plugin 2006": Internet Explorer toolbar that protects your computer while you browse by setting high level of security for suspicious hosts. (b) "Public Messenger ver 2.03": Popup advertising module that opens Internet Explorer ad windows when you are connected to internet. (c) "Internet Security Add-On": your Internet Explorer homepage will be changed. (d) Security software: antivirus/antispyware application. - i scanned the computer using avg and found a virus, deleted it, and then found it again the next time i scanned. -i did the same with adware and spy bot: found spyware, deleted, it came back. -then i followed mmcodec.coms uninstall instructions which of course failed. the mmcodec 9.0 somehow just reappears and the other 3 programs i was able to identify (a-c in the user agreement) opened some 'bla bla failure' dialog box. and all of the uninstalls require me to reboot FIRST! so even though i know it failed i have to wait until it reboots. SO ANYWAYS... heres my HijackThis Log File (my last resort b4 reinstalling windows) ----------------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 6:39:12 AM, on 10/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\MMediaCodec\pmsngr.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\utorrent.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\MMediaCodec\pmmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Jesse\Desktop\hijackthis\HijackThis.exe O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\MMediaCodec\isaddon.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent.exe" O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - C:\WINDOWS\system32\dpfwu.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe --------------------------------------------------------------- please help if you can, i really would appreciate it. i am not much of a computer wiz but i can follow directions. btw, is there anyplace i can go to report that website. they are obviously running a scam and intentionally distributing a virus.

10-12-2006, 04:51 AM	#3 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Hi joq18, Welcome to Tech Support Forums! I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. If you're in the USA, you could complain to the FTC and as well as the department in charge of media broadcasting (I can't remember the name... sorry). But, they can only take action against websites based in America. OK, now let's clean up your system, shall we? BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions. 1. Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your desktop. Please do NOT run a scan yet! NOTE : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm 2. Please download CCleaner and save it to your desktop. Run the CCleaner installer. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar". Please do NOT run a scan yet! 3. Please download AVG Anti-Spyware and save that file to your desktop. This is a 30-day trial of the program -- This means that after 30 days the "background guard" protection will be de-activated. However, this version can continue to be manually updated and used as an on-demand scanner forever. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the setup program. Once the setup is complete you will need to run AVG Anti-Spyware and update the definition files. On the main screen select the "Shield" icon, then under the "Resident shield is" section change the "Active" status of AVG Anti-Spyware’s resident shield to "Inactive". On the main screen select the "Update" icon, then under the "Manual update" section select the "Start update" button. The update will start and a progress bar will show the updates being installed. Once the update has completed (the progress bar will display "Update successful!") select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the "Settings" screen click on "Recommended actions" and then select "Quarantine". Under "Reports:" Select "Automatically generate report after every scan". Un-Select "Only if threats were found". Close AVG Anti-Spyware. Please do NOT run a scan yet! 4. Please reboot your computer into Safe Mode by doing the following: Reboot your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again. Instead of Windows loading as normal, a menu should appear. Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter". 5. Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process (if a reboot is required, please boot BACK into Safe Mode). A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. WARNING : Running Option #2 on a non-infected computer will remove your desktop background. 6. AFTER SmitfraudFix finishes (and after a reboot if required), please run CCleaner. (If a reboot is required, please boot BACK into Safe Mode) Click the Windows tab. Select the following: Check everything under the Internet Explorer section. Check everything under the Windows Explorer section. Check everything under the System section. Check ONLY Old Prefetch data under the Advanced section. Then, click the Applications tab: UNCHECK everything there. Next, click the Options button, then click the Advanced button: UNCHECK : "Only delete files in Windows Temp folders older than 48 hours", click OK. Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit. CAUTION : Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system. 7. Then please open AVG Anti-Spyware. (If a reboot is required, please boot BACK into Safe Mode) IMPORTANT : Do NOT open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning process. Select the "Scanner" icon at the top and then the "Scan" tab. Click on "Complete System Scan". AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time. Once the scan is complete do the following: If you have any infections you will prompted, then select the "Apply all actions" button, AVG Anti-Spyware will then display "All actions have been applied" on the right hand side. Next select the "Save Report" button at the bottom. Then select the "Save report as" button in the lower left hand of the screen and save it as a text file on your system (make sure to remember where you saved that file, this is important!). Close AVG Anti-Spyware. Then please REBOOT normally into Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the AVG Anti-Spyware report and a new HijackThis log. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

10-12-2006, 02:44 PM	#5 (permalink)
joq18 Registered User Join Date: Oct 2006 Posts: 6 OS: XP Home SP2	Got It!... Ok, I couldn't figure out why f8 won't start safe mode at startup, but i figured out how to do it through msconfig. So here are the results after following your instructions: ======================================== SmitFraudFix v2.109 Scan done at 15:52:24.64, Thu 10/12/2006 Run from C:\Documents and Settings\Jesse\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End ============================================ --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 4:45:21 PM 10/12/2006 + Scan result: HKU\S-1-5-21-861567501-920026266-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{479FD0CF-5BE9-4C63-8CDA-B6D371C67BD5} -> Adware.Generic : Cleaned with backup (quarantined). ::Report end ============================================ Logfile of HijackThis v1.99.1 Scan saved at 5:24:30 PM, on 10/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\LTSMMSG.exe C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\hijackthis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe ============================================== Well, so far so good, all the problems seem to be gone. Let me know if theres any problems with my logs. In the mean time ill consider it a success. THANK YOU SEMPURNA AND THANKS TECHSUPPORTFORUM!!!

10-12-2006, 11:03 PM	#7 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Hi joq18, You’re most welcome, jog18. Yep, your system will be slower after cleaning out Smitfraud. We’ll try to make it go faster, and also try to solve your Safe Mode problem. Good work on figuring out that Safe Mode can be done through msconfig. OK, let’s do this next. Turn off the active guard of AVG Anti-Spyware. Also, turn it off from starting with windows. You can right-click the AVG Anti-Spyware icon in your system tray (lower right hand corner next to the clock) and disable them. Let's run an online scan to make sure we're not leaving anything behind. Please do an online scan with Kaspersky Online Scanner. Click on Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded click on Next. Now click on Scan Settings. In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK. Now under select a target to scan: Select My Computer. This program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save Report As button. In the File name: field, type kavscan. In the Save as type: field, select *Text file (.txt). Save the file to your desktop. Copy and paste that information in your next post. NEXT: Please reboot your computer normally into Windows, and then please post the log from the Kaspersky scan and a new HijackThis log**. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum

10-13-2006, 07:01 AM	#8 (permalink)
joq18 Registered User Join Date: Oct 2006 Posts: 6 OS: XP Home SP2	Here are my latest logs: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, October 13, 2006 9:44:14 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 13/10/2006 Kaspersky Anti-Virus database records: 231425 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 27931 Number of viruses found: 2 Number of infected objects: 9 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:32:25 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\avg7\l_100018.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\Jesse\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jesse\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Jesse\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Jesse\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped C:\Documents and Settings\Jesse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jesse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jesse\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jesse\Local Settings\History\History.IE5\MSHist012006101320061014\index.dat Object is locked skipped C:\Documents and Settings\Jesse\Local Settings\Temp\Perflib_Perfdata_874.dat Object is locked skipped C:\Documents and Settings\Jesse\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jesse\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Jesse\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Jesse\UserData\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005472.exe Object is locked skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005679.dll Object is locked skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005681.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP22\A0005691.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005757.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005772.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005788.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP23\A0005789.exe Infected: Trojan-Downloader.Win32.Zlob.aoy skipped C:\System Volume Information\_restore{616BCDDD-66F3-4D8A-A849-B5335BF4F778}\RP25\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{18BAB2A6-E0C5-4151-BA83-5878C5493BC7}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. AND MY HJT: Logfile of HijackThis v1.99.1 Scan saved at 9:54:26 AM, on 10/13/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\LTSMMSG.exe C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\wmiapsrv.exe C:\hijackthis\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe I also notice that my system runs slow when I open alot of windows (like more than 5). When this has been happening I get a 'balloon' that says 'Windows - Virtual Memory Minimum is Low' and that it's trying to increase it. Is this a symptom of the virus or has one of my memory settings been changed in the process of fixing it? Well, let me know what you find and thanks again...

10-11-2006, 05:03 AM	#2 (permalink)
joq18 Registered User Join Date: Oct 2006 Posts: 6 OS: XP Home SP2	oh btw, one of the pop-ups ive been getting says i have 'Spyware.Cyberlog-x' and one of the pop-up 'baloons' says 'Security Alert: NetWorm-i.Virus@fp'. but these could just be fony,- -however avg says i have Trojan horse Generic2.EPI(Iaf3a.tmp), after 2 scans with adware i found a prog called virusburster.exe and another called trojandownloader.zlob, and spybot turns up results for zlob.homepagemonitor and pesttrap. sorry to repost like that but i thought this info might help.

10-12-2006, 12:08 PM	#4 (permalink)
joq18 Registered User Join Date: Oct 2006 Posts: 6 OS: XP Home SP2	I have a problem. My system will not boot in safe mode. When my computer starts it offers these options: <esc>diagnostics <f12>somthing? <f2>bios? or somthing like that, but no option for safe mode. so I tried everything from pressing f8 before, after, tapping it, holding it, but each time windows boots normally. I know in the past it has been able to boot in safe mode. i cant figure out why it doesnt work now. is the an alternative way to do this or an explination for why my system cant boot to safe mode? I will continue trying in the mean time.

10-12-2006, 07:29 PM	#6 (permalink)
joq18 Registered User Join Date: Oct 2006 Posts: 6 OS: XP Home SP2	Arrrrg, it seems there is still a problem. all signs of the spyware/virus are gone (no adds, icons gone from system tray, etc...) however, my computer runs like glue. id say even slower than when i had the virus... this page took about 5 minutes to load, and windows explorer windows take several minutes to open. i'm doing more scans using avg, spybot, and adware. hope this problem stops...

10-13-2006, 10:46 PM	#9 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Hi joq18, How much RAM do you have? Let’s assume you have 512MB, as the recommended size of the virtual memory paging file will depend on this figure. Adjust accordingly if you have a different RAM amount. To change the size of the virtual memory paging file you must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure. Click Start, click Control Panel, click Performance and Maintenance, and then click System. On the Advanced tab, under Performance, click Settings. On the Advanced tab, under Virtual memory, click [/b]Change[/b]. Under Drive [Volume Label], click the drive that contains the paging file you want to change. Under Paging file size for selected drive, click Custom size, and type a new paging file size in megabytes in the Initial size (MB) or Maximum size (MB) box, and then click [/b]Set[/b]. If you decrease the size of either the initial or maximum page file settings, you must restart your computer to see the effects of those changes. Increases typically do not require a restart. To have Windows choose the best paging file size, click System managed size. For best performance, do not set the initial size to less than the minimum recommended size under Total paging file size for all drives. The recommended size is equivalent to 1.5 times the amount of RAM on your system. Usually, you should leave the paging file at its recommended size, although you might increase its size if you routinely use programs that require a lot of memory. Otherwise, your system appears to be clean. What Kaspersky found was in your system restore files. These are not active, and don’t pose a danger to your system. As time goes by, your computer will create new system restore points, and automatically delete these infected ones. Please let me know how things go with the virtual memory settings, and whether your system continues to be slow. We’ll see if we can speed things up a bit if it is still slow. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum